IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Marriott fined £99m for 2018 data breach

ICO says the hotel chain 'failed to undertake due dilligence' in Starwood acquisition

The Information Commissioner's Office (ICO) has said it will fine Marriott International over 99 million following a breach of its systems that led to the exposure of approximately 339 million guest records.

The hotel chain revealed in November that an unknown third-party had gained unauthorised access to its Starwood guest reservation system by exploiting an unpatched vulnerability dating back to 2014.

Of the 339 million records accessed, it's thought around 30 million were related to residents of 31 countries in the European Economic Area, including seven million belonging to UK citizens.

Following an investigation by the ICO, it was found that Marriott, which bought the Starwood brand in 2016, "failed to undertake sufficient due diligence" during the acquisition and missed the vulnerability as a result. The hotel chain has now been fined 99,200,396 for infringements of GDPR.

"The GDPR makes it clear that organisations must be accountable for the personal data they hold," said Information Commissioner Elizabeth Denham. "This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

"Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public."

Despite the large fine, the ICO said the Marriott has co-operated with its investigation and has made improvements to its security arrangements since the breach came to light. The company will now have an opportunity to make representations to the ICO as to the proposed findings and sanction.

It's been a busy week for the UK's data watchdog after announced its intent on Monday to fine British Airways for a similar data breach in September 2018. On that occasion, the penalty was a record-breaking 183 million after hackers compromised the personal data of half a million customers.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022